ISO 27001 Clause 7.5 Documented information Implementation Guideline
Required activity
The organization includes documented information within the ISMS as directly required by ISO/IEC 27001, also as determined by the organization as being necessary for the effectiveness of the ISMS.
Implementation Guideline
Documented information is required to define and communicate information security objectives, policy, guidelines, instructions, controls, processes, procedures, and what persons or groups of individuals are expected to try to do and the way they’re expected to behave. Documented information is additionally needed for audits of the ISMS and to take care of a stable ISMS when persons in key roles change. Further, documented information is required for recording actions, decisions and outcome(s) of ISMS processes and knowledge security controls.
Documented information can contain:
- Information about information security objectives, risks, requirements and standards;
- Information about processes and procedures to be followed;
- Records of the input (e.g. for management reviews) and therefore the outcomes of processes (including plans and outcomes of operational activities).
There are many activities within the ISMS that produce documented information that’s used, most of the time, as an input for an additional activity. ISO/IEC 27001 requires a group of mandatory documented information and contains a general requirement that additional documented information is required if it’s necessary for the effectiveness of the ISMS.
The amount of documented information needed is usually associated with the dimensions of the organization. In total, the mandatory and extra documented information contains sufficient information to permit the performance evaluation requirements laid out in Clause 9 to be administered.
The amount of documented information needed is usually associated with the dimensions of the organization. In total, the mandatory and extra documented information contains sufficient information to permit the performance evaluation requirements laid out in Clause 9 to be administered.
The organization should determine what documented information is important for ensuring effectiveness of its ISMS additionally to mandatory documented information required by ISO/IEC 27001.The documented information should be there to suit the aim. Factual and ‘to the point’ information is what’s needed.
Examples of documented information which will be determined by the organization to be necessary for ensuring effectiveness of its ISMS are:
- The results of the context establishment;
- The roles, responsibilities and authorities;
- Reports of the various phases of the danger management;
- Resources determined and provided;
- The expected competence;
- Plans and results of awareness activities;
- Plans and results of communication activities;
- Documented information of external origin that’s necessary for the ISMS;
- Process to regulate documented information;
- Policies, rules and directives for guiding and operating information security activities;
- Processes and procedures required to implement, maintain and improve the ISMS and therefore the overall information security status;
- Action plans;
- Evidence of the results of ISMS processes (e.g. incident management, access control, information security continuity, equipment maintenance, etc.).
Documented information’s are often of internal or external origin.
ISO 27001 Clause 7.5.2 Creating and updating
Required activity
When creating and updating documented information, the organization ensures its appropriate identification and outline, format and media, and review and approval.
Implementation Guideline
The organization identifies intimately how the documented information is best structured and defines an appropriate documentation approach. Review and approval by appropriate management ensures that the documented information is correct, suitable for the aim, and in an adequate form and detail for the intended audience. Regular reviews ensure continued suitability and adequacy of documented information.
Documented information could also be retained in any form, e.g. traditional documents (in both paper and electronic form), web pages, databases, computer logs, computer generated reports, audio and video. Moreover, documented information may contain specifications of intent (e.g. the knowledge security policy) or records of performance (e.g. the results of an audit) or a mix of both. the subsequent guidance applies on to traditional documents and will be interpreted appropriately when applied to other sorts of documented information.
Organizations should create a structured documented information library, linking different parts of documented information by:
- Determining the structure of the documented information framework;
- Determining the quality structure of the documented information;
- Providing templates for various sorts of documented information;
- Determining the responsibilities for preparing, approving, publishing and managing the documented information;
Determining and documenting the revision and approval process to make sure continual suitability and adequacy.
Read More : https://www.info-savvy.com/iso-27001-clause-7-5-documented-information-implementation-guideline/
------------------------------------------------------------------------------------------------------------
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
Comments
Post a Comment